Skip to main content

IBM i EUVDEUVD-2026-36250

| CVE-2026-7870 HIGH
Uncontrolled Search Path Element (CWE-427)
2026-06-11 ibm GHSA-45c2-g3rg-fwmg
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

IBM i network sign-on makes it AV:N; any authenticated user profile suffices so PR:L; no user interaction needed; successful library-list hijack yields administrator-level code execution, giving C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 11, 2026 - 15:45 vuln.today

DescriptionNVD

IBM i 7.6, 7.5, 7.4, and 7.3 could allow a user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege.

AnalysisAI

Privilege escalation in IBM i versions 7.3, 7.4, 7.5, and 7.6 allows an authenticated user to execute attacker-controlled code with administrator privileges due to an unqualified library call (CWE-427, uncontrolled search path). No public exploit identified at time of analysis, but IBM has released a patch and rated the issue as high severity (CVSS 8.8) given the low complexity and high impact across confidentiality, integrity, and availability.

Technical ContextAI

IBM i (formerly OS/400 / i5/OS) is IBM's integrated operating environment for Power Systems, where programs are resolved through a per-job library list rather than fully qualified paths. CWE-427 (Uncontrolled Search Path Element) in this context means a system or trusted program invokes another program or service program by name without qualifying its source library, so whichever library appears earliest in the user's library list supplies the object. If a lower-privileged user can place a malicious object with the same name in a library that precedes the legitimate one, the trusted caller - running under an adopted authority or higher-privileged profile - will load and execute the attacker's code. The affected CPE is cpe:2.3:a:ibm:i:*:*:*:*:*:*:*:*, covering supported IBM i releases 7.3 through 7.6.

RemediationAI

Patch available per vendor advisory: apply the IBM-issued PTFs for each affected release (7.3, 7.4, 7.5, 7.6) as listed in IBM Support advisory https://www.ibm.com/support/pages/node/7275756; the input does not enumerate a single exact fix version, so administrators must select the PTF group matching their installed release. As compensating controls until PTFs are applied, restrict interactive and remote sign-on for non-administrative profiles (limit users with *USE authority to QSYS and avoid granting *CHANGE on shipped libraries), audit and trim user library lists (QUSRLIBL, QSYSLIBL) so attacker-writable libraries cannot precede IBM-supplied ones, and review object authorities on any library where ordinary users have *ADD or *CHANGE - note that tightening library list policy can break poorly-written application installers that depend on writing into shared libraries, so test in a staging LPAR first.

Share

EUVD-2026-36250 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy